Skip to main content

Apache CVE-2026-32690

| EUVDEUVD-2026-23666 LOW
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-18 apache GHSA-w9r4-94fj-xp69
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
CVSS changed
Apr 20, 2026 - 17:52 NVD
3.7 (LOW)
EUVD ID Assigned
Apr 18, 2026 - 07:00 euvd
EUVD-2026-23666
Analysis Generated
Apr 18, 2026 - 07:00 vuln.today
Patch released
Apr 18, 2026 - 07:00 nvd
Patch available
CVE Published
Apr 18, 2026 - 06:22 nvd
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 pypi packages depend on apache-airflow (2 direct, 2 indirect)
  • 4 pypi packages depend on apache-airflow-core (2 direct, 2 indirect)

Ecosystem-wide dependent count for version 3.0.0 and other introduced versions.

DescriptionCVE.org

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.

If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

AnalysisAI

Apache Airflow 3.0.0 through 3.1.x fails to redact secrets stored as nested fields within JSON-formatted variables, allowing authenticated users with variable access to retrieve plaintext sensitive values. This information disclosure vulnerability affects deployments that store credentials or API keys as JSON dictionary structures in Airflow variables. The EPSS score of 0.02% and CVSS 3.7 with high attack complexity reflect limited real-world exploitation likelihood, but the vulnerability poses direct risk to organizations using JSON-structured secrets without additional access controls.

Technical ContextAI

Apache Airflow's variable masking mechanism is designed to redact sensitive values when variables are retrieved or displayed. The vulnerability stems from incomplete redaction logic (CWE-668: Exposure of Sensitive Information to an Unauthorized Actor) that fails to recursively mask secrets nested within JSON dictionary structures. When variables are serialized as JSON objects containing sensitive fields at arbitrary depth, the redaction logic only masks top-level values or applies insufficient depth traversal. This affects the Airflow UI, API responses, and programmatic variable retrieval methods. The issue is specific to JSON-formatted variables; plaintext string variables or non-JSON formats are properly masked. Affected CPE cpe:2.3:a:apache_software_foundation:apache_airflow:*:*:*:*:*:*:*:* covers all Apache Airflow versions from 3.0.0 through 3.1.x.

RemediationAI

Upgrade to Apache Airflow 3.2.0 or later, which includes the fix implemented via GitHub PR #63480 (https://github.com/apache/airflow/pull/63480). This patch ensures recursive masking of secrets within JSON-structured variables. For organizations unable to upgrade immediately, implement the following compensating controls: (1) Restrict variable access via Airflow RBAC to only users with demonstrated need to handle sensitive values, with audit logging enabled for all variable access-trade-off is reduced operational flexibility for users requiring variable inspection. (2) Avoid storing secrets directly in Airflow variables in JSON form; instead, use Airflow's Secrets Backend integration (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) which applies consistent redaction independent of data structure-this requires refactoring variable usage and may impact deployment scripts. (3) Deploy variable access monitoring via log aggregation to alert on unusual variable retrieval patterns, flagging API or UI access to variables containing JSON-formatted credentials-this provides detection but not prevention. (4) Implement network-level access controls restricting direct API access to Airflow's variable endpoints to trusted internal IPs only. Upgrade to 3.2.0 remains the authoritative fix.

Share

CVE-2026-32690 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy